[Senate Hearing 118-327]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 118-327

                    THE FEDERAL AND NON-FEDERAL ROLE
                   OF ASSESSING CYBER THREATS TO AND
                   VULNERABILITIES OF CRITICAL WATER
                  INFRASTRUCTURE IN OUR ENERGY SECTOR

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON 
                            WATER AND POWER

                                 OF THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 10, 2024

                               __________
                               
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                               

                       Printed for the use of the
               Committee on Energy and Natural Resources

        Available via the World Wide Web: http://www.govinfo.gov
        
                                __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
55-889                  WASHINGTON : 2025                  
          
-----------------------------------------------------------------------------------     
        
               COMMITTEE ON ENERGY AND NATURAL RESOURCES

                JOE MANCHIN III, West Virginia, Chairman
RON WYDEN, Oregon                    JOHN BARRASSO, Wyoming
MARIA CANTWELL, Washington           JAMES E. RISCH, Idaho
BERNARD SANDERS, Vermont             MIKE LEE, Utah
MARTIN HEINRICH, New Mexico          STEVE DAINES, Montana
MAZIE K. HIRONO, Hawaii              LISA MURKOWSKI, Alaska
ANGUS S. KING, JR., Maine            JOHN HOEVEN, North Dakota
CATHERINE CORTEZ MASTO, Nevada       BILL CASSIDY, Louisiana
JOHN W. HICKENLOOPER, Colorado       CINDY HYDE-SMITH, Mississippi
ALEX PADILLA, California             JOSH HAWLEY, Missouri
                                 ------                                

                    Subcommittee on Water and Power

                            RON WYDEN, Chair

BERNARD SANDERS                      JAMES E. RISCH
CATHERINE CORTEZ MASTO               MIKE LEE
JOHN W. HICKENLOOPER                 JOHN HOEVEN
ALEX PADILLA                         BILL CASSIDY

                      Renae Black, Staff Director
                      Sam E. Fowler, Chief Counsel
                Sarah Kessel, Professional Staff Member
              Justin J. Memmott, Republican Staff Director
           Patrick J. McCormick III, Republican Chief Counsel
                  Jack Holt, Republican Junior Counsel
                           
                           
                           C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Wyden, Hon. Ron, Subcommittee Chair and a U.S. Senator from 
  Oregon.........................................................     1
Risch, Hon. James E., Subcommittee Ranking Member and a U.S. 
  Senator from Idaho.............................................     2

                               WITNESSES

Turpin, Terry, Director, Office of Energy Projects, Federal 
  Energy Regulatory Commission...................................     4
Wright, Virginia, Cyber-Informed Engineering Program Manager, 
  Idaho National Laboratory......................................    14
Aaronson, Scott, Senior Vice President, Security and 
  Preparedness, Edison Electric Institute........................    27

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Aaronson, Scott:
    Opening Statement............................................    27
    Written Testimony............................................    30
    Responses to Questions for the Record........................    52
Risch, Hon. James E.:
    Opening Statement............................................     2
Turpin, Terry:
    Opening Statement............................................     4
    Written Testimony............................................     7
    Responses to Questions for the Record........................    46
Western Governors' Association:
    Letter for the Record........................................    54
    Policy Resolution 2022-05....................................    55
Wright, Virginia:
    Opening Statement............................................    14
    Written Testimony............................................    16
    Responses to Questions for the Record........................    48
Wyden, Hon. Ron:
    Opening Statement............................................     1

 
                    THE FEDERAL AND NON-FEDERAL ROLE
                   OF ASSESSING CYBER THREATS TO AND
                   VULNERABILITIES OF CRITICAL WATER
                  INFRASTRUCTURE IN OUR ENERGY SECTOR

                              ----------                              


                       WEDNESDAY, APRIL 10, 2024

                               U.S. Senate,
                   Subcommittee on Water and Power,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:30 p.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Ron Wyden, 
Chair of the Subcommittee, presiding.

             OPENING STATEMENT OF HON. RON WYDEN, 
                    U.S. SENATOR FROM OREGON

    Senator Wyden. The Subcommittee will come to order, and 
today we are going to be looking at critical infrastructure 
sector issues, particularly threats and cybersecurity. I also 
want to thank the Ranking Minority Member. We have had really 
good cooperation with the staff on this and that's how it 
should be.
    The dams that generate our hydropower are no exception to 
the serious set of threats that we are facing in cybersecurity, 
generally. Countries like China and Russia present a 
significant national security concern, as they have the ability 
to shut down core functions of our society, and even cause 
death, by hacking critical infrastructure.
    Today, the Subcommittee is being told by the Federal Energy 
Regulatory Commission, which licenses 2,500 dams, that the dams 
responsible for well over half of the non-federal power 
generation have not received a cybersecurity audit. And 
currently, there is no plan to complete these missing audits 
any time soon. FERC has told my staff--we want to thank them 
for their cooperation and the forthcoming way in which they 
have handled this--they have told my staff that they simply 
don't have the ability to review the remaining dams within the 
next decade. A big part of the challenge is that FERC has just 
four cybersecurity experts to oversee 2,500 dams. Today, there 
are no minimum standards, no audits of a majority of dams, and 
bad cybersecurity. That is inviting cybersecurity trouble in 
the Pacific Northwest.
    As the Chairman of the Subcommittee responsible for dams, I 
don't want to sit around and wake up to a news report about a 
small town in the Pacific Northwest getting wiped out because 
of a cybersecurity attack against a private dam upriver. FERC 
cybersecurity rules only apply to dams that are remotely 
managed over the internet. This practice enables companies to 
save money by not requiring an operator on-site. Those cost 
savings for the dam operator lead to significantly greater 
cyber risks. In addition, there are no mandatory cybersecurity 
requirements for dams only administered by on-site operators. 
To make matters worse, FERC cybersecurity rules have not been 
updated since 2016, they aren't specific enough, and are mostly 
about paperwork and checking boxes. FERC doesn't have the 
resources it needs to be an effective regulator of the 
cybersecurity of private-sector-run dams. This is a problem for 
the Congress to address.
    Now it's time for Congress to step up. The seriousness of 
cyber threats to critical infrastructure has been clear for 
years. Companies and agencies across the Federal Government 
have been slow to respond to the cyber threats, which are the 
result of a combination of factors, including weak regulation, 
no audits, and no accountability. For example, last year I 
asked the Department of Homeland Security Cyber Safety Review 
Board to look into the theft of senior government officials' 
emails from Microsoft servers. DHS published the board's report 
last week, which documented numerous cybersecurity problems 
that seriously undermine U.S. national security. Microsoft 
software is used widely across the U.S. Government and 
industry. And if you look at these practices, which we have 
seen for years now, they are undermining America's cyber 
defenses and creating a serious threat to national security.
    One of the central issues is that the United States does 
not have a more coordinated approach to cybersecurity. The 
cybersecurity of each part of our society is regulated in a 
different way, and some end up not being regulated at all. Some 
have rules. Some have the honor system. My own view is, this is 
not good enough. So there is no wonder that there are broad 
parts of our government and society with awful cybersecurity, 
no effective rules, and no cyber safety regulatory efforts. The 
Congress needs to address cybersecurity broadly rather than 
playing whack-a-mole one industry or agency at a time. 
Unfortunately, we can't solve the biggest problem in this 
Subcommittee. We can accelerate updating FERC's cybersecurity 
standards, making sure those standards are effective and apply 
to all dams. That will help protect the United States from a 
serious national security threat.
    I look forward to working with our witnesses and all 
members of the Committee to deal with this scope and scale of 
an enormous challenge in our hydroelectric systems and others 
so the Congress is equipped to develop targeted responses. 
Before I yield to Senator Risch, I want the record to note, and 
I guess I talked for about seven minutes, and I didn't hear 
anybody talk about is this a Democratic approach or a 
Republican approach. This is an American approach. And I intend 
to work very closely with the Ranking Minority Member, my 
friend from the Pacific Northwest, Senator Risch.

           OPENING STATEMENT OF HON. JAMES E. RISCH, 
                    U.S. SENATOR FROM IDAHO

    Senator Risch. Well, thank you, Mr. Chairman. You and I 
have served together for many years, not just on this 
Committee, but also both of us are senior members of the 
Intelligence Committee, and cybersecurity has certainly been in 
our wheelhouse. With that in mind, it is only fitting that we 
meet to discuss the two topics as pertinent as hydropower and 
energy security and resiliency in this Committee meeting.
    I have here, as a witness, Ms. Virginia Wright, who is the 
Cyber-Informed Engineering Program Manager at the Idaho 
National Laboratory. Glad to have her with us. But also, Mr. 
Chairman, you should know that Mr. John Wagner is here, who is 
the Director of the Idaho National Laboratory. The INL, as most 
people know, is the flagship laboratory, not only in the United 
States, but the world and the universe for nuclear energy. 
Interestingly, what most people don't know is that the INL is 
quickly becoming also the flagship laboratory for cybersecurity 
matters, and as big as the nuclear issue is there and has been 
since shortly after World War II, the budget for cybersecurity 
is increasing. And within a few years, or maybe even less, the 
budget for cybersecurity at that lab is going to overtake the 
budget for nuclear. So the Idaho National Laboratory is a big 
deal for Idaho, it's a big deal for America, and certainly, 
it's a big deal in the field of cybersecurity.
    You know, it's really impossible to overstate the 
importance of dam infrastructure in Idaho. Dams have allowed us 
in Idaho to transform desert into fertile farmland, account for 
flood control, and transport commodities far beyond Idaho, and 
are critical to meeting our growing energy demands. Hydropower 
accounts for over half of our in-state electricity generation 
and contributes significantly to affordability. Idaho boasts 
the fourth lowest electric rates in the country, thanks in 
large part to hydropower, which, of course, dams are critical 
to. We've got an array of federal, local, and private dams 
ranging from a couple of kilowatts to the Brownlee Dam, 
operated by Idaho Power, on the Idaho-Oregon border, which is 
the largest generation capacity of any privately owned dam in 
America. Besides being a clean, renewable, and affordable 
resource, hydropower is also integral to our security and 
resiliency. Hydro facilities provide dispatchable, always-on 
power with the ability to ramp up in the case of extreme 
weather events and stabilize the grid. Additionally, many 
hydropower facilities are black-start capable, meaning they can 
quickly come back online after an incident without the need for 
external power from the grid. Hydropower fulfills a 
backstopping role in so much of our energy security. It is 
vital. We best ensure that hydroelectric infrastructure itself 
is secure.
    In Idaho, we are proud to be home to experts working 
diligently to that end at the Idaho National Lab. My Committee 
colleagues have heard me discuss at length INL's role as our 
flagship nuclear energy research institution. But what a lot of 
people don't realize is, as I have said, is that cybersecurity 
is increasing dramatically. INL performs cutting-edge energy 
system research and development, ensuring cyber and physical 
threat information in conducting cyber and physical security 
assessments. I am pleased to have with us today, as I said, an 
important person that is involved in that from the lab. She and 
her team at the INL, in partnership with DOE, pioneered the 
CIE, the cyber-informed engineering concept to build cyber and 
safeguard practices into infrastructure from the beginning. CIE 
and other related practices are now being implemented across 
critical infrastructure development and improvements. I look 
forward to learning more about this important work--work that 
is, as we have underscored already, critically important to our 
infrastructure and how we can improve its application to the 
resiliency of our hydropower infrastructure.
    Thank you, Mr. Chairman.
    Senator Wyden. Thank you very much, Senator Risch, and it's 
good to have Idaho in the house today.
    Senator Risch. It is.
    Senator Wyden. It is very welcome, and I can just tell you, 
Ms. Wright, the staff has already been very complementary of a 
number of things going on there at the Idaho National 
Laboratory. So we look forward to working closely with you.
    We've got three really good witnesses today.
    Terry Turpin, Director of the Office of Energy Projects at 
FERC. He started his career at the Commission in 1998 as a 
staff engineer, where he was responsible for the review of 
natural gas pipeline applications. If I read in detail all of 
his accomplishments, I would have you here until breakfast 
tomorrow, but we are glad you are here Mr. Turpin. Welcome.
    As I say, Virginia Wright, Program Manager for Cyber-
Informed Engineering at the Idaho National Laboratory. She 
leads implementation of the National Strategy for Cyber-
Informed Engineering at the Department of Energy. So, she's 
already been recognized by her colleagues nationally and we 
wanted to note that.
    Then we have Scott Aaronson, Senior Vice President of 
Security and Preparedness, Edison Electric Institute. Scott 
leads the EEI Security and Preparedness team, where he focuses 
on industry security and resilience initiatives and 
partnerships between government and electric companies. And I 
think it's well known that we work very closely with you and a 
cross section of environmental and labor leaders to get the 
clean energy tax credits, and we very much appreciate your 
contributions there at EEI.
    So let's go right to our witnesses. We will start with you, 
Mr. Turpin, and I think we have a general agreement, everybody 
is going to try and stick to five minutes, and it's going to be 
a little crazy after a while because we have some votes and 
whatnot, but let's just get all our witnesses in before 
anything happens in the way of votes, and we will go with Mr. 
Turpin, Ms. Wright, and Mr. Aaronson.
    Mr. Turpin, welcome.

STATEMENT OF TERRY TURPIN, DIRECTOR, OFFICE OF ENERGY PROJECTS, 
              FEDERAL ENERGY REGULATORY COMMISSION

    Mr. Turpin. Thank you very much, sir.
    Chairman Wyden, Ranking Member Risch, and members of the 
Subcommittee, good afternoon. My name is Terry Turpin, and I am 
Director of the Office of Energy Projects at the Federal Energy 
Regulatory Commission. The Office is responsible for taking a 
lead role in carrying out the Commission's activities in 
reviewing infrastructure projects. This includes the licensing, 
administration, and safety of non-federal hydropower projects, 
the authorization of interstate natural gas pipelines and 
storage facilities, and the authorization of liquefied natural 
gas terminals. I appreciate the opportunity to appear before 
you today to discuss the Commission's program regarding 
cybersecurity for dam structures associated with hydropower. As 
a member of the Commission staff, the views I express in my 
testimony are my own and not necessarily those of the 
Commission or of any individual Commissioner.
    There are hydropower projects in nearly every U.S. state 
and on most major river systems of the U.S., with more than 100 
gigawatts of electric generation capacity installed. 
Approximately 57 gigawatts of this generation are owned and 
operated by non-federal parties, such as private companies, 
private utilities, municipalities, electric cooperatives, 
private citizens, Indian tribes, and state agencies. Under the 
Federal Power Act, non-federal hydropower projects must be 
licensed by the Commission if they are located on a navigable 
waterway, occupy federal land, use surplus water from a federal 
dam, or are located on non-navigable waters over which Congress 
has jurisdiction under the Commerce Clause. In accordance with 
the Federal Power Act, the Commission currently regulates over 
1,600 non-federal projects, which includes about 2,500 dams.
    The Commission's dam safety and security program includes a 
focus on ensuring that the wide range of dam owners and 
operators both understand the cybersecurity measures needed to 
protect their control systems and are also aware of potential 
threats and vulnerabilities. In recognition of this, the 
Commission has developed cybersecurity measures drawn from a 
risk-based, descriptive model approach, which allows for 
flexibility in regulating such a diverse set of entities. These 
measures were built on guidelines issued by the National 
Institute of Standards and Technology, approaches developed 
through the North American Reliability Corporation's standards 
development process, and informed through outreach to the 
regulated industry. These measures allow dam operators and 
owners the ability to implement a defense-in-depth strategy 
based upon unique risks and constraints that they face, and 
enable them to adapt to changes in the cybersecurity 
vulnerability and threat landscape. Dam owner/operators were 
required to implement these measures by the end of calendar 
year 2018.
    Commission cybersecurity specialists audit dam operators' 
efforts regarding vulnerability and security assessments, 
documentation of cyber assets and associated criticality 
designations, implementation of cybersecurity controls, and the 
posture of on-site security. The audit process helps focus 
owner/operators' efforts on what cybersecurity measures will be 
most effective for their critical features to prevent a failure 
path that could lead to downstream consequences. Commission 
security specialists also monitor classified intelligence, 
open-sourced information, and unclassified government issuances 
from the FBI, the Cybersecurity and Infrastructure Security 
Agency, Homeland Security Information Network, and the 
Electricity Information Sharing and Analysis Center. This 
allows staff to discern pertinent security-related events, 
incidents, and trends, as well as to ensure that FERC licensees 
are made aware of potential threats and vulnerabilities. By the 
end of Fiscal Year 2024, staff of the security branch will have 
performed 271 physical security inspections and completed 
cybersecurity audits covering the owner/operators responsible 
for 37 percent of the installed non-federal hydropower 
capacity. By the end of Fiscal Year 2025, we will have 
completed audits covering 70 percent of that installed 
generation capacity.
    That concludes my remarks, and I would be very happy to 
answer any questions you might have.
    [The prepared statement of Mr. Turpin follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Wyden. You almost set the land speed record for 
getting your testimony in, and I thank you.
    Senator Risch. Very much appreciated.
    Senator Wyden. Yes, indeed.
    Ms. Wright, welcome.

   STATEMENT OF VIRGINIA WRIGHT, CYBER-INFORMED ENGINEERING 
           PROGRAM MANAGER, IDAHO NATIONAL LABORATORY

    Ms. Wright. Chairman Wyden, Ranking Member Risch, and 
members of the Subcommittee, thank you for the opportunity to 
testify on a topic critical to our nation's national security. 
My name is Virginia Wright, and I am a program manager at the 
Idaho National Laboratory, one of the 17 U.S. Department of 
Energy National Laboratories. From our decades-long work in 
building and testing more than 50 nuclear reactors in the high 
desert west of Idaho Falls, INL has developed a deep 
understanding of the cybersecurity and engineering needed to 
secure systems and provide critical function assurance.
    INL, sponsored by the Department of Energy, has developed 
an approach to cybersecurity which starts at the critical 
functions of the system and the technology that performs those 
functions. This methodology, called cyber-informed engineering 
(CIE), asks the engineers who design and operate infrastructure 
systems to develop engineered controls which can mitigate the 
worst consequences that could be caused, even if adversaries 
penetrate digital defenses and gain control of operational 
technology. CIE is a method readily applicable to ensure that 
the modernization of the hydropower fleet incorporates 
designed-in cyber protections which complement the analog 
nature of the engineering inherent in today's facilities. The 
U.S. hydroelectric fleet generates 240 billion kilowatt-hours 
per year, and is very diverse in size, operational 
configuration, automation level, and importance as baseload. 
Hydroelectric facilities range in generating capacity from less 
than one megawatt to the U.S.'s largest, Grand Coulee Dam, 
which generates more than 6,800 megawatts. Fewer than 400 
facilities supply more than 90 percent of U.S. hydropower. 
Additionally, 87 percent of the U.S. fleet is over 30 years 
old, with rotating machinery and physical components that have 
lasted far beyond the expected service life.
    The largest facilities are operated by the U.S. Army Corps 
of Engineers, Bureau of Reclamation, Tennessee Valley 
Authority, and large commercial utilities--organizations with 
well-resourced cybersecurity programs. Many of the remaining 
small and medium-sized facilities are operated by entities with 
few resources to invest in vulnerability analysis and threat 
detection, but they all face the same threat landscape. 
Significant investments by Congress have allocated more than 
$753 million to programs to maintain and advance the existing 
hydropower fleet. These improvements will result in increased 
generation and grid services and they will also add digital 
technology used for automation and interconnection of systems 
within hydropower facilities, increasing the fleet's exposure 
to cyber threats and vulnerabilities.
    In testimony before the House Select Committee on January 
31, U.S. officials provided stark warnings about the 
capabilities and intent of hackers linked to the People's 
Republic of China. In her testimony, CISA Director Jen Easterly 
stated, ``This is truly an `everything, everywhere, all at 
once' scenario.'' Given the rising awareness that U.S. critical 
infrastructure is being actively targeted by nation-state 
actors with the ability to gain covert access and the intent to 
cause catastrophic harm, a broadly capable cybersecurity 
program is necessary, but not sufficient. The Federal 
Government must provide aid and incentives for critical 
infrastructure operators to proactively find and eliminate 
avenues for cyber adversaries to cause harm. This is especially 
true for small organizations who operate infrastructure with 
the potential for damaging impacts. Cyber-informed engineering 
can be used to engineer-out adversary opportunities and 
engineer-in protections from sabotage in both existing and 
newly upgraded infrastructure.
    While the Federal Government can provide financial 
resources and the expertise of the national laboratories with 
their ready stockpile of capabilities, defending against 
``everything, everywhere, all at once'' will require everyone, 
both federal and non-federal, to join forces. To address some 
of the most critical needs for assessing cyber threats and 
vulnerabilities of critical water infrastructure in our energy 
sector, INL has developed a series of urgent recommendations. 
Further recommendations and details about each are in my 
written testimony. Number one, use Cyber-informed engineering 
to add ``secure by engineering design'' protections from the 
impact of cyberattacks on the existing fleet and in designs for 
the future. Number two, support vulnerability assessments on 
commonly used technology within the hydroelectric fleet. Number 
three, develop hardening guidance to address well-known 
weaknesses in digital systems used in hydropower. And number 
four, increase the pace and the financial support for threat 
hunting across the hydropower fleet.
    I appreciate the opportunity to testify today, and I want 
to thank you for your attention to this very important issue 
for our nation. I look forward to your questions.
    Senator Wyden. You will have them momentarily.
    [The prepared statement of Ms. Wright follows:]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Wyden. Mr. Aaronson.

 STATEMENT OF SCOTT AARONSON, SENIOR VICE PRESIDENT, SECURITY 
          AND PREPAREDNESS, EDISON ELECTRIC INSTITUTE

    Mr. Aaronson. Thank you, Chairman Wyden.
    Chairman Wyden, Ranking Member Risch, members of the 
Subcommittee, I appreciate the opportunity to testify before 
you today on this important topic on critical infrastructure 
security, and specifically, those interdependencies among the 
electricity, water, and dam sector. You are going to hear some 
very consistent themes across the three witnesses. My name is 
Scott Aaronson. I am Senior Vice President for Security and 
Preparedness at the Edison Electric Institute, or EEI. EEI is 
the trade association representing all of the nation's 
investor-owned electric companies. These companies serve more 
than 250 million Americans and represent five percent of the 
United States' gross domestic product. We are fond of saying 
it's the first five percent of GDP since all other sectors rely 
on our product. And that number is only growing. With the 
proliferation of data centers for artificial intelligence and 
fueling our digital economy, more manufacturing and industrial 
processes relying on electricity, adoption of electric vehicles 
across the transportation sector, and electricity increasingly 
used for home heating, America's electric companies are more 
important than ever to our nation's security, economic 
competitiveness, and the lives and safety of our customers and 
your constituents. This is a responsibility EEI's members take 
very seriously.
    In addition to the extraordinary growth, the grid is also 
changing. With more distributed resources, two-way flows, grid-
scale battery storage, clean energy sources, and broad 
digitization enabling customer control and better visibility 
into this increasingly complex system, this is an exciting time 
to be a part of the electric power sector. But these changes 
also can bring new risks and an evolving attack surface. As the 
Director of National Intelligence Worldwide Threat Assessment 
has said publicly since 2019, ``Near-peer nation-states are 
targeting critical infrastructure to hold the United States at 
risk at a time of their choosing.'' To address these risks, the 
electric power sector uses a defense-in-depth approach that 
seeks to protect our most critical assets from compromise while 
also understanding that defenses are never infallible. So 
resilience, redundancy, and the ability to recover are integral 
to our defenses too.
    This resilience comes from a diversity of resources and 
systems that limit single points of failure. It also comes from 
the development and exercising of plans to operate degraded or 
to restart systems, known as black-start capabilities, and 
perhaps most importantly, a culture of mutual assistance that 
supports response and recovery against all hazards. This is 
most apparent when storms and natural hazards hit, but has 
grown to include cyber mutual assistance capabilities and spare 
equipment sharing programs. The energy grid is one big machine 
with thousands of owners and operators. This community has 
found common cause to work together to address the risks posed 
by both Mother Nature and man-made threats.
    In addition to these resilience efforts, the electric power 
sector also has a regulatory regime that includes mandatory and 
enforceable cyber and physical security standards. It may 
surprise the Subcommittee, but the electric power sector 
strongly supports these regulatory requirements. They provide a 
foundational level of security, and we appreciate Congress 
codifying the concept of an electric reliability organization 
in the Federal Power Act as part of the Energy Policy Act of 
2005. This construct allows experts from grid operators and 
other stakeholders to develop standards that are enforced by 
the Federal Energy Regulatory Commission. That said, 
regulations alone cannot guarantee security because security is 
not a check-the-box exercise. In fact, in order to keep up with 
adversaries, asset owners and operators must be more nimble and 
creative than just abiding by baseline regulations. This is 
where the value of partnerships is key.
    In addition to my role at EEI, I also am privileged to be a 
member of the secretariat that supports the Electricity 
Subsector Coordinating Council (ESCC). Along with the 
cooperative and public power segments of the industry, the ESCC 
brings more than two dozen CEOs and leaders from across the 
sector to work with senior government officials to prepare for 
and respond to serious threats to grid operations. The ESCC has 
been held up as a model for how critical infrastructure sectors 
can partner with each other and leverage both the industry's 
visibility into its systems and our operational excellence, 
along with the government's intelligence gathering capabilities 
and national security responsibilities. In addition to 
responding to major incidents, other ESCC priorities include 
securing the grid of the future and enhancing operation and 
collaboration between government and industry security experts.
    Fortunately, a recent example of the value of this 
partnership was the Chinese state-sponsored cyber threat known 
as Volt Typhoon that became public earlier this year. 
Fortunately, the electric power sector had been aware of the 
risk long before it made news. In fact, a small group of pilot 
companies participating in the Energy Threat Analysis Center 
(ETAC) had been working side-by-side with government to 
understand this threat and to develop and socialize mitigation 
strategies. These lessons were shared with the broader sector 
through the Electricity Information Sharing and Analysis Center 
(E-ISAC), showing a commitment to collective defense and 
information sharing that will serve us well as the electric 
power sector adapts to the new threats and challenges facing 
critical infrastructure operators.
    In addition to working with the government, the ESCC also 
values cross-sector partnerships. While we are that first five 
percent of GDP, we also rely on other sectors to support our 
sector's operations and resilience. We need telecommunications 
to communicate with field personnel and to ensure systems 
remain in balance; transportation and pipelines to move fuel; 
and water to generate steam, cool systems, and for hydropower 
through dams. As you know, these resources play a critical role 
in both the black-start capabilities that I mentioned earlier 
and in producing energy that provides important support to grid 
operations, particularly in the West. Again, EEI and its 
members are deeply committed to these partnerships, regulatory 
constructs, and resilient strategies, and to working together 
as both the energy grid and geopolitical risks continue to 
evolve.
    Thank you again for the opportunity to testify today, and I 
look forward to your questions.
    [The prepared statement of Mr. Aaronson follows:]
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Wyden. Thank you, Mr. Aaronson.
    And we have five Senators here, so there's a considerable 
amount of interest. We may be expecting some more, so we will 
just proceed to get into questions.
    Let me start with you, Mr. Turpin, and again, I thank FERC 
for the cooperation that we have had. Now, you all haven't 
updated your cybersecurity requirements for commercial dam 
operators since 2016. And obviously, a lot has changed in 
cybersecurity over the past eight years. I am of the view that 
there is a need to update these requirements and incorporate 
the cybersecurity best practices that generally are part of 
what other federal regulators abide by. Your thoughts?
    Mr. Turpin. Well, I quite agree. We issued them in 2016 as 
a way to get the program started. We have been auditing 
facilities, and from those lessons learned, the full intention 
is to update those and incorporate the views of other agencies 
and things that are always being learned in this rather dynamic 
landscape.
    Senator Wyden. How long will it take to do that? Could you 
have that ready to go, say, in six months?
    Mr. Turpin. Well, I don't think six months. We will be at 
70 percent of the facilities by the end of next year, and I 
think we will definitely move to update it then. In the 
interim, we, of course, will be applying anything we have 
learned as we move forward with all of the entities.
    Senator Wyden. So how long would it take to update the 
requirements? I appreciate the fact that you all want to make 
progress. I just think it's important to have a clearly 
understood kind of loadstar, a real focus that everybody can 
abide by. I see Senator Cantwell, my partner on the Finance 
Committee. We are going to have a hearing on cybersecurity and 
healthcare in the Finance Committee. There may be some broad 
principles, and here is the Senator from Nevada as well. We 
will see some principles that will come out of that healthcare 
hearing, but what goes on with dams isn't necessarily what goes 
on with cybersecurity for health care. Dams and health care are 
different.
    So your thoughts about getting an actual target date--would 
nine months work better? I don't want to go month by month, but 
I do want to get----
    Mr. Turpin. Sure.
    Senator Wyden. I do want to get a target date for an 
update.
    Mr. Turpin. Yes, absolutely. And I mean, nine months would 
be achievable, I think.
    Senator Wyden. Good.
    Mr. Turpin. We will see, over the next five months, we will 
have completed 37 percent of those audits and that will be very 
informative for updating and getting----
    Senator Wyden. I will quit while I am ahead, nine months.
    With respect to oversight, you all have really no mandatory 
cybersecurity requirements for dams that aren't connected to 
the internet. I am concerned about foreign spies being able to 
jump the air gap and hack systems in our network, such as by 
distributing spyware on thumb drives. Do you agree that U.S. 
dams need robust cybersecurity defenses, even if their systems 
are not connected to the internet?
    Mr. Turpin. I do. We started focusing on those that were 
remotely operable as a way to get the program up and running, 
but I don't think it comprises the entire universe of what 
needs to be protected.
    Senator Wyden. All right. One last question: The Department 
of Homeland Security Cyber Safety Review Board looked into the 
theft of senior government officials' emails from Microsoft 
servers and Secretary Raimondo and others, and my understanding 
is Microsoft products were used widely in the dam sector. Is 
that right?
    Mr. Turpin. That is correct.
    Senator Wyden. Okay. So how do we take that Cyber Safety 
Review Board set of conclusions and obviously, Secretary 
Raimondo and others are concerned about what the rules are 
going to be, and what do we say about Microsoft and others 
meeting tough cybersecurity standards coming on?
    Mr. Turpin. Yes, and so, obviously, the report is of great 
concern, and as it was issued last week, we are going through 
it and we will be using that to inform any changes we might 
make, especially as we move forward over the next nine months.
    Senator Wyden. Well, consult with all of us, and we would 
appreciate that.
    Senator Risch.
    Senator Risch. Thank you, Mr. Chairman.
    Ms. Wright, I have a series of questions for you. On this 
issue on dams, do you deal only with dams that generate 
electricity--and I assume the vast majority of dams do some 
type of hydroelectric generation--but if you have just a flood 
control dam or something like that, do you still--are they in 
your sphere?
    Ms. Wright. So Senator, for the dams that provide 
agricultural or water holdback services, there still can be 
digital equipment that operate some components with those dams. 
There can be communication and status indicators that are 
installed on those dams. For that equipment, certainly, 
methodologies like cyber-informed engineering and other 
cybersecurity defenses would be appropriate. Also, as we begin 
to modernize these agricultural dams to become power-producing 
dams, as many of the more recent investments allow, that will 
introduce a significant amount of digital technology, which 
will change the risk for those agricultural dams. It is 
compounded by the fact that many of these agricultural dams are 
located in very rural communities who may not have access to 
excellent cybersecurity services. So we will have to work on 
trying to ensure that cybersecurity protections are designed-in 
as opposed to reactively applied afterwards.
    Senator Risch. So what percent of the dams are--ballpark, 
if you can give me one--what percent are the ag type dams that 
don't generate electricity? Are you able to give an estimate 
there?
    Ms. Wright. Senator, I am not today, but I would be 
delighted to get that answer and bring it back to you.
    Senator Risch. Well then, to get right down to it, how does 
this work? Do the dam operators come to you? Do you come to 
them? Are they subject to a regulatory mandate? Where are we on 
that? Just give me a general idea of how this works.
    Ms. Wright. For cyber-informed engineering, our approach is 
very broad, and we would be very open to working with 
hydroelectric owners and operators to apply the methodology at 
their facilities. As of yet, we have not done so, but we are 
eager for that opportunity. Right now, the owners and operators 
have voluntary access to a number of services offered by the 
Department of Energy's CESER organization, offered by DHS's 
Department of Dams, and other federal entities. Those tools 
include ones that allow network visibility that helps to rank 
consequences of cyber threats and that inform how one might 
perform an incident response activity at a hydroelectric 
facility.
    Senator Risch. And are there private-sector companies that 
are involved in this effort also?
    Ms. Wright. Yes, sir. With cyber-informed engineering we 
are attempting to make every one of our developments very 
public, and we have communities of practice where the private 
sector learns about cyber-informed engineering and can apply 
it.
    Senator Risch. So can you give me any kind of an idea of 
the hydroelectric dams, how many of them are now subject to the 
CIE methodology? How many of them are in practice? What 
percent?
    Ms. Wright. Right now, not very many. However, the benefit 
for the hydroelectric sector is that these dams are marvels of 
U.S. engineering, and because of their age, they have older 
equipment that is not subject to cyber vulnerabilities. So 
there is an excellent opportunity to leverage what already 
exists and build in protections as modernization brings digital 
equipment into the dam sector.
    Senator Risch. So Mr. Aaronson, your constituency, they are 
dialed in on this, I assume? Tell me what the thought process 
is.
    Mr. Aaronson. Yes, they are, and we really appreciated the 
Idaho National Lab's leadership on this. I think cyber-informed 
engineering is a concept that absolutely reflects our vision of 
resilient operations. The idea here is, digital equipment is 
terrific, but we operated the grid for the better part of the 
20th century without digital overlay. How can we operate 
degraded? How can we operate through a cyber incident? How can 
we rely on non-digital equipment to make it harder for the 
adversary. You know, one of the things I talk about a lot, just 
to maybe dig in a little bit, there are two ways to deter an 
adversary. The first is that the attack doesn't have the 
intended impact. So an adversary attacks using cyber means and 
we still maintain operations. The other way that you deter is 
that an attack has a consequence, which is the purview of our 
Armed Forces and intelligence community, and increasingly, the 
electric power sector has a responsibility to support military 
installations who are supporting forward operations. So this 
relationship between the electric power sector, defense 
installations, the intelligence community, and using things 
like cyber-informed engineering gives us a holistic approach to 
deterrents where the attack doesn't have the intended impact 
and our military can do its job.
    Senator Risch. So back to you, Ms. Wright. How rapidly are 
these dams being restructured to modernize their operations? 
What's the velocity of that or non-velocity of it that's going 
on, or are you able to speak to that?
    Ms. Wright. I would like to bring some exact numbers back 
to you----
    Senator Risch. For the record, why don't you do that?
    Ms. Wright. But what we were able to observe is that 
federal entities have granted a number of modernization efforts 
that are being carried out, both by asset owners and vendors 
who supply services to the grid, many to refit these 
agricultural dams to be power-producing and others to add 
advanced instrumentation to dams to make them more responsive 
to changing grid conditions.
    Senator Risch. I am assuming--my time is up, but let me 
close with this--I am assuming, well, we all know that the 
Idaho National Lab is world-class in control systems, 
developing operations, understanding them, and of course, that 
has been going on for decades there because of their work with 
nuclear. And I believe that the cyber growth there is a result 
of our expertise in control systems. I am assuming your 
operations bring the two of those together--the control systems 
and the cyber operations.
    Ms. Wright. Senator, that's right. And thank you for the 
opportunity to address that. The cyber-informed engineering 
methodology takes advantage of a practitioner who has been left 
out of a great many of the cybersecurity conversations, and 
that is the engineer who designs a system to perform in the 
first place and operates the critical practices. By leveraging 
the knowledge of that engineer, you can identify the 
consequences that would be most impactful in the event of a 
cyberattack and remediations that may be non-digital and out-
of-phase with the adversary to accomplish what my colleague has 
talked about, deterring the adversary because of the lack of an 
impact resulting from their activity.
    Senator Risch. That is all quite helpful.
    Thank you, Mr. Chairman.
    Senator Wyden. I thank my colleague.
    Senator Hickenlooper.
    Senator Hickenlooper. Yes, thank you, Mr. Chair, and thanks 
to all three of you for taking time out of your busy lives and 
being here with us, appreciate that.
    Mr. Aaronson, some of the emerging technologies like AI 
are, obviously, offering exciting opportunities to make our 
grid more efficient and more reliable--all types of 
electricity. And making use of these large datasets, I think, 
can help us predict demand more accurately, and also to manage 
supply more effectively. To make progress on this potential, 
President Biden has given an executive order on AI, including a 
call for a report on how AI can improve our grid 
infrastructure. So how can we test the impacts of new 
modernizing technologies on the grid and ensure that those 
improvements are safe, effective, and defensible? And then, the 
other question, and this gets back a little bit to what Ms. 
Wright was talking about--does increased reliance on AI and 
other technologies introduce new security threats that we 
should address on the front end?
    Mr. Aaronson. I see we only have a little under four 
minutes to answer this question.
    [Laughter.]
    Mr. Aaronson. So I will say, at a very high level, first of 
all, I agree completely that artificial intelligence has a lot 
of promise for grid operations. Electric companies already are 
using versions of artificial intelligence. I think the 
inflection point recently has been generative AI, but 
artificial intelligence and machine learning has been a part of 
this sector for quite some time. At the end of the day, it 
helps with grid operations, it helps with efficiencies, just as 
most digitization technologies do. I would say one of the ways, 
as I said a second ago, and as Ms. Wright was mentioning, part 
of what we need to do to negate the risk is to make sure that 
we are not putting all of our eggs in the digital basket, 
whether it's AI, whether it's just digital controls broadly, or 
what have you. The ability to operate degraded remains 
important, so let's not rely exclusively on AI, but for blue 
sky operations, AI is extraordinary. This risk that comes from 
artificial intelligence certainly comes from adversaries 
leveraging it, and it comes from poisoning the datasets that 
ultimately we would be relying on.
    And so, one of the things, I think, you need to think about 
when we think about artificial intelligence is, at the end of 
the day, it is hardware, it is software, it is data, it is 
algorithms. We know how to protect those. Now, do we completely 
understand the nuances of how AI will change that threat 
landscape? We do not. And so, I think we need to do this in a 
thoughtful, deliberative way, but that's not to say that AI is 
good or bad. AI is here and it is happening and it is valuable 
to grid operations. Let's just do it in a safe, responsible 
way.
    Senator Hickenlooper. I agree completely. And I think 
touching on that, certainly with hydroelectric generation, 
oftentimes that generation is somewhat isolated, and generally, 
it's not cost effective to have redundancy built into those 
systems at the sufficient level.
    Ms. Wright, I have to ask, do you think the NERC standards 
are sufficient to protect our grid, not just from cyberattacks 
but from the consequences that prey upon this vulnerability 
that's unavoidable, I think, to a certain extent when you have 
remote generation, which in many, not just hydroelectric, but 
other types of generation can be somewhat isolated. Are the 
NERC standards sufficient, or do we need additional state and 
local measures as well?
    Ms. Wright. Thank you, Senator.
    The NERC standards are sufficient to guide the development 
of a broadly based cybersecurity program that enables an asset 
owner to respond to a very broad category of cyber events. 
Where the Federal Government has advanced knowledge of very 
specific threats, there are opportunities for the Federal 
Government to offer aids that are specifically targeted to 
those threat conditions where a broadly based cybersecurity 
strategy may not offer sufficient protection. So in that 
measure, they are both sufficient, but there are additional 
capabilities that can be offered by the Federal Government.
    Senator Hickenlooper. So what more should be done? What 
should we be thinking? What should we be doing?
    Ms. Wright. So first, identifying what is the most 
important, and identifying means to protect it. We cannot, as 
several of my colleagues have said, we cannot spread our 
cybersecurity investment across all of the assets. Second--and 
cyber-informed engineering takes advantage of this--use what is 
there. Take the basic engineering that is already present at 
several of the hydroelectric facilities and use it to create 
defenses. And third, help focus and optimize investments that 
asset owners are making by responding with very fast targeted 
threat information. The ETAC program that was already mentioned 
and the bulletins by E-ISAC do a great job of providing a broad 
set of information to the electric sector community. Where 
those can be further refined for the hydroelectric sector, 
there will be amazing benefits.
    Senator Hickenlooper. That's great.
    I guess I am out of time. So I will yield back to the 
Chair.
    Senator Wyden. I thank you, Senator Hickenlooper. We are 
waiting for our colleagues to return. It's a hectic day here 
and I am just going to ask a couple of others and see if my 
friend Senator Risch would like to as well.
    Ms. Wright, you gave us a number of concrete 
recommendations to improve cybersecurity, and I like the 
breakdown of ``do it now'', ``you might have a little bit of 
time'', and then a longer timeline. What do you think is most 
important for Congress to help the small dam operators? You 
know, we tried to say from the beginning, big guys are out in 
front and are looking at the internet issue and the like, but 
what do you think would be most helpful for the small dam 
operators that are not currently subject to cyber requirements 
and basically are short of resources to protect themselves?
    Ms. Wright. I am going to give some very similar answers, 
Senator, and thank you for that opportunity. First, the small 
dam operators need targeted information. It is interesting to 
talk about ``everything, everywhere, all at once,'' but in a 
small cooperative or small operation where the person doing the 
cybersecurity may also be in charge of the billing, developing 
the resources to respond to everything is outside of their 
means. So targeted threat intelligence, tools that reduce the 
burden on an asset owner by being very appropriate for 
application in the hydropower environment, not just something 
general that applies across the wide expanse of critical 
infrastructure, and finally, access to technical providers who 
can aid in the installation of these solutions and potentially 
for their maintenance over time.
    Senator Wyden. Okay.
    I think we are just trying to get everybody's location and 
see. We have a vote on as well, so we will see if we can wrap 
up fairly quickly.
    Mr. Turpin, apropos of what Ms. Wright is doing with her 
categories of recommendations: ``immediate'', ``you have a 
little bit of time'', and ``maybe a bit more time'', are you 
guys working on anything resembling that? I have tried to open 
the debate up in terms of when you all thought you could get us 
an update on the rules.
    Mr. Turpin. Right.
    Senator Wyden. What else are you trying to put on a 
calendar here, I guess would be the way I would ask it?
    Mr. Turpin. Right. So I mean, right now, the focus is on 
moving through those audits and trying to understand, you know, 
how to improve that. I think, as we learn things over this next 
year, we will definitely be using that on the day-to-day and 
not waiting for anything to, you know, to have to be done in an 
update in nine months. I would echo Ms. Wright's thoughts that 
it's difficult with the smaller operators, given, as you said, 
the big folks are already out there running full charge. It is 
when you get down to the bulk of the operators that are very 
small organizations that are going to need the help. And so I 
think we will be trying to look at some of the research that 
Idaho has done and try to figure out how we could apply that to 
help the small operators as well.
    Senator Wyden. Well, let's do this. We are going to 
liberate you all and I want to again thank the Ranking Minority 
Member. We have worked together on so many things in this 
Committee and elsewhere, and I think this is really important 
work to do. I think the pace of change in the cyber area is so 
extraordinary. We are going to have to have good people like 
you three working with us as we examine these issues, and we 
thank you.
    We are going to hold the record open for colleagues to 
submit written questions.
    And with that, we will adjourn and thank our witnesses.
    [Whereupon, at 3:23 p.m., the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                   [all]